One of the factors thought to limit the growth of electronic commerce today is the lack of sufficient trust on the part of customer in the security and integrity of the electronic commerce systems employed.
The Internet and the World Wide Web provide users with a robust communications network enabling communications with computers throughout the world. It is now increasingly common for customers to communicate and place orders with distant vendors using the Internet. When customers shop at local stores, shop keepers know the customer or if necessary may inspect identification documents to authenticate the customer if needed. However, since the Internet communications are not in person, it may be necessary to use some other authentication system.
Much of the effort undertaken in the electronic authentication area has concerned authenticating the remote user or customer to the electronic commerce site and there are many such systems available for authenticating the user. If the web site is duped into believing it is communicating with one entity, but it is in fact communicating with a different entity, it may transfer money or other valuables or goods to the wrong party during the perpetration of a fraud. Similarly, such a duped web site might provide access to sensitive information to the wrong entity. Since such electronic commerce vendors may loose significant funds in such substitution attacks, many vendors take precautions to authenticate the user. Elaborate user authentications systems have been proposed including those using out-of-band authentication communications paths employing biometric authentication response to challenges that are required before access to the in-band electronic system is provided. For example, U.S. Patent Application Publication 2006/0041755 A1 entitled Multichannel Device utilizing a Centralized Out-of-Band Authentication System (COBAS) and published Feb. 23, 2006 describes biometric user authentication systems. Such systems are directed to authenticating a user to the web server.
Considering the converse server authentication process, in the scenario of a bricks-and-mortar shop, there is little chance that the customer will be duped into dealing with a party who is not the shop owner. Furthermore, delivery may be a prerequisite of payment for an in-person brick-and-mortar shopping experience. The user has few options available for authenticating the electronic commerce web server (in other words, making sure that the user is communicating with the organization that it believes it is communicating with). The systems that are available are not terribly effective since they are not easy to use. Unfortunately, in Internet commerce, Phishing attacks are becoming increasingly common whereby an unsuspecting user will be redirected to a fraudulent location using a link that the user believes points to an authentic and respectable business. Once the user reaches the fraudulent web site, the user is induced into providing usernames and passwords to the perpetrator of the fraud. After the perpetrator has obtained the actual authentication information, they use that information at the authentic electronic commerce site in an identity theft attack. Since the perpetrator then possesses the authentication information, the electronic commerce site is duped into believing that it is dealing with the actual customer. Furthermore, it is even possible that the actual Internet address of a respectable business could be high-jacked by a fraudulent party. Accordingly, there is a need to provide the user with a straightforward mechanism to authenticate the electronic commerce site before providing confidential information such as usernames, passwords and credit account information.
There have unfortunately been such a large number of attacks on electronic commerce systems including Phishing attacks that companies are beginning to take efforts to combat such abuses. In order to take measures to protect against the Phishing attack problem, some web sites provide a cryptographic certificate to allow the user to verify that the web site is authentic. However, the process of using such certificates is complicated and not readily understood by the average electronic commerce user. Thus, such conventional certificate methods that allow a user to authenticate the web site may be largely ineffective because they are too difficult to use. Accordingly, the average customer with average ability is unable to determine with a high degree of confidence and certainty that the web site he is navigating is authentic. Additional systems have also been proposed. For example, in U.S. Pat. No. 7,100,049 B2, issued Aug. 29, 2006 to Gasparini, et al., entitled Method and Apparatus for Authentication of Users and Web Sites, systems for authentication of web sites using a single in-band communications channel are described in response to Phishing attacks that display information recognizable to the user. In a typical Phishing attack, a fraudulent email is sent to a user purportedly from a financial institution that the user is a customer of. The email contains a link that appears to lead to an authentic financial institution, but it actually points to a fraudulent site that attempts to elicit confidential information.
When such Phishing attacks are successful, both the users and the electronic commerce businesses suffer. They may suffer losses of time and productivity in rectifying the situation, money and they may suffer damage to their reputation or creditworthiness standing. Accordingly, there is a need for a system and method that can securely authenticate a web site to a user that is easy to use. Additionally, there is a need to provide convenient out-of-band communications to facilitate web site authentication such as by a challenge response system.